In another high-profile takedown of a security executive connected to a security breach, the U.S. Securities and Exchange charged SolarWinds and its CISO with fraud and internal failures in connection with a highly damaging cyberattack.
The Austin, Texas-based software company SolarWinds Corp. and its CISO, Timothy G. Brown, were indicted in a federal complaint filed Oct. 30 for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.
The complaint says from the company’s 2018 public offering through its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks.
In its filings with the SEC during this period, federal prosecutors allege SolarWinds misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown “knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.”
In a blog post, SolarWinds President and CEO Sudhakar Ramakrishna said the company will “vigorously” defend against the federal charges.
“How we responded to SUNBURST is exactly what the U.S. government seeks to encourage,” Ramakrishna said. “So, it is alarming that the Securities and Exchange Commission (SEC) has now filed what we believe is a misguided and improper enforcement action against us, representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages.”
Ramakrishna added that SolarWinds maintained appropriate cybersecurity controls prior to the Russian SUNBURST hack, “and has led the way ever since in continuously improving enterprise software security based on evolving industry standards and increasingly advanced cybersecurity threats.”
The complaint alleges SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments — including a 2018 presentation prepared by a company engineer and shared internally.
The presentation found SolarWinds’ remote access setup was “not very secure” and someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds.
Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”
In addition, the SEC’s complaint alleges that multiple communications among SolarWinds employees, including Brown, throughout 2019 and 2020 questioned the company’s ability to protect its critical assets from cyberattacks.
For example, according to the SEC’s complaint, in June 2020, while investigating a cyberattack on a SolarWinds customer, Brown wrote that it was “very concerning” that the attacker may have been looking to use SolarWinds’ Orion software in larger attacks because “our backends are not that resilient.”
And a September 2020 internal document shared with Brown and others stated, according to the federal complaints, “the volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve.”
The SEC’s complaint alleges that Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company.
As a result of these lapses, the company allegedly also could not provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected.
SolarWinds made an incomplete disclosure about the SUNBURST attack in a December 14, 2020 Form 8-K filing, following which its stock price dropped approximately 25 percent over the next two days and approximately 35 percent by the end of the month.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
Grewel added the indictment “underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
The SEC’s complaint, filed in the Southern District of New York, alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations.
The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.